[ Datadog ] Java Trace SDK 원격 코드 실행(RCE) 취약점 안내

Datadog의 Java 트레이싱 라이브러리에서 RMI(Remote Method Invocation) 도구화 과정 중, 입력 데이터를 직렬화 필터 없이 역직렬화(Deserialization)하는 취약점이 발견되었습니다. 공격자가 네트워크를 통해 JMX 또는 RMI 포트에 접근 권한이 있는 경우, 원격에서 코드를 실행할 수 있는 위험이 있습니다.

1. 취약점 발생 조건 (아래 3가지가 모두 해당될 경우 위험)

• Java 버전: Java 16 이하 버전에서 dd-trace-java를 Java 에이전트(-javaagent)로 사용 중인 경우 (Java 17 이상은 영향 없음)
• 설정: JMX/RMI 포트가 명시적으로 설정되어 있고(-Dcom.sun.management.jmxremote.port), 네트워크를 통해 접근 가능한 경우
• 라이브러리: 클래스패스에 commons-collections 3.x와 같은 가젯 체인(Gadget-chain) 호환 라이브러리가 존재하는 경우

2. 영향받는 버전 및 패치 정보

• 영향받는 버전: com.datadoghq:dd-java v0.40.0 ~ v1.60.2
• 패치된 버전: com.datadoghq:dd-java v1.60.3 이상

3. 대응 방법 (권장 조치)

- 임시 해결책 (업데이트가 불가능할 경우)

   즉시 업데이트가 어렵다면, 환경 변수를 설정하여 RMI 통합 기능을 비활성화하세요.

• 설정값: DD_INTEGRATION_RMI_ENABLED=false
• 주의: 다시 활성화할 경우 취약점에 노출됩니다.

4. 추가 보안 강화 조치

• 네트워크 제한: 방화벽이나 Kubernetes NetworkPolicy를 통해 JMX/RMI 포트 접근을 신뢰할 수 있는 호스트로만 제한하세요.
• 인증 및 암호화: JMX를 반드시 노출해야 한다면 아래 설정을 추가하세요.
  • -Dcom.sun.management.jmxremote.authenticate=true
  • -Dcom.sun.management.jmxremote.ssl=true
• 로그 모니터링: 예상치 못한 프로세스 실행, 비정상적인 외부 연결, 의심스러운 파일 생성 여부를 점검하세요.

[ Datadog 안내 원문 ] 

We are reaching out because you are running a version of the Datadog Java tracing library (com.datadoghq:dd-java-agent) that is vulnerable to a remote code execution (RCE) flaw. In affected versions, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. This vulnerability does not impact the Datadog platform. The risk is limited to your own infrastructure and depends on your network exposure and configuration.

Are you impacted?

All three (3) of the following conditions must be true to exploit this vulnerability:

• dd-trace-java is attached as a Java agent (-javaagent) on Java 16 or earlier (Java 17+ is not exploitable)
• A JMX/RMI port has been explicitly configured via -Dcom.sun.management.jmxremote.port and is network-reachable
• A gadget-chain-compatible library is present on the classpath (e.g., commons-collections 3.x)

Note: Remote JMX is not enabled by default, but some integrations required enabling it.

Impacted Versions: com.datadoghq:dd-java >= 0.40.0 and <= 1.60.2

Patched Versions: com.datadoghq:dd-java >= 1.60.3

What did Datadog do?

Upon identifying this vulnerability, Datadog immediately developed a patched version of dd-trace-java (v1.60.3) that changes the RMI context propagation wire format to only transmit integers and strings. This new format eliminates the ability to read arbitrary objects, preventing unsafe deserialization in the RMI instrumentation. We are notifying all potentially impacted customers and will continue to monitor for any signs of exploitation, providing further updates if the situation changes.

What should you do?

• For JDK 17 and later: No action is required, but upgrading to v1.60.3 is encouraged.
• For JDK 8u121 through JDK 16: Upgrade to dd-trace-java v1.60.3 or later.
• For JDK earlier than 8u121 where serialization filters are not available: Apply the workaround below.

Workaround: If you cannot upgrade immediately, disable the RMI integration by setting the following environment variable:

DD_INTEGRATION_RMI_ENABLED=false

Note: Re-enabling RMI instrumentation will reintroduce the vulnerability.

Additional mitigations:

• Restrict network access: Limit JMX/RMI port access to trusted hosts only using firewall rules or Kubernetes NetworkPolicy.
• Enable JMX authentication and TLS: If JMX must remain exposed, set -Dcom.sun.management.jmxremote.authenticate=true and -Dcom.sun.management.jmxremote.ssl=true.
• Review logs: Look for signs of exploitation, e.g. unexpected process executions, anomalous outbound connections, or unusual files created on the system.

If we determine further impact or have additional guidance, we will update you accordingly. Please let us know if you have any questions.